Some time back we used to have wifi data card they are used to provide internet via wifi using sim cards. i have one which has become useless because it only supports 3g network. i was thinking what are any other ways that this wifi data card can be used like, can it be used as wifi adapter or wifi range extendter etc? anything that it can be used for is there any way to change its functioning by changing its firmware. pls share your views on this and lemme know of there is any way to do so. the data card is from huawei model ec315
Saturday, June 19, 2021
Can't wrap my head around GRE
I understand that it's used in a VPN and I understand that it makes 2 routers seem level 2 adjacent, but why does it matter? How is it different than 2 routers forming a connection over the public internet? After all, the data takes the same path either way.
Can I define Static NAT form one subnet to another?
Is it possible to define static Nat from one subnet to another using one command?
Why is the FCS of a data frame in the trailer and not the header
Surely, it would be more efficient to put it at the beginning of the frame to check whether it is the original frame that was intended to be sent.
Can someone explain why this happens to be at the end. I know it's a silly question but I'm interested to know why? Surely if you check it first you can reliably know the frame is authentic.
Please let me know if this is not appropriate as I think it follows the rules but as I am posting for the first time I am unsure.
Question about VPN and wifi extender
I'm using my laptop to create a hotspot and then connect my phone to it and use a VPN on my phone.
Is the data communicated from my phone to the router encrypted?
I'm asking this question because I assumed that because the laptop is in the middle, the information the laptop sends to the router is not encrypted.
I checked the IP address on my phone and it showed the location of the VPN which is good.
Will the ISP know which sites I'm visiting?
Thank you and sorry for the long post.
Kemp Load Balancer Synology Docker Install
Hi everyone,
I see that the load balancer can be installed via docker through Kemp's website. I found the image via Synology Docker, but I can not seem to get this thing to run properly. I have searched and searched online and can not find any documentation around a successful docker install. Do you have you have any ideas / resources around installing a Kemp load balancer via docker on a Synology NAS?
Thank you!
Viptela SD-Wan controllers on Cisco hosted cloud
Hello,
Our company has purchased DNA-C-500M-E-3Y license for Viptela SD-WAN deployment with ISR4431 ISR Edge routers.
Will it be possible to provision the controllers with DNA essentials license (vmanage, vsmart and vbond) on Cisco hosted Cloud as a service or they are limited to on-prem deployment only ?
Thank you
Anybody experience a Dell switch bricking?
Just had a Dell S4048-ON get stuck in a boot loop, we can reach the console but nothing displays. Found a forum on dell support and they pretty much said the switch is bricked. Also, director did not buy the warranty. While purchasing another switch isn't a issue, would like to try and fix this.
Anybody experience anything like this?
Network Solution for Small Business - Router Options for 300+ Simultaneous Clients
We have a small business that has 20 guest rooms, a tavern, and a banquet hall for weddings.
We switched ISPs and the new one is far better service, with up to 800x800 symmetrical fiber, but the router is incredibly residential and often is overload when we have high volume of users.
I am looking for a router solution to work with our 10 access points connected through a unmanaged Netgear gigabit switch to handle the volume. I am also open to using multiple routers to handle the load (as long as the single modem from the ISP doesn't become a bottleneck).
Generally the high volume is about 300+ clients per hour between all the entities, Sonos speakers, and our staff, about 1-2 days a week.
The rest of the week the highest volume is about 100 clients per hour during peak operations in the Tavern.
I'm looking for some network solutions that will help reduce network overload. Thank you in advance for any tips.
I put together a list of 23 network/networking courses you can take!
https://collegecompendium.goldin.io/search?q=network
I’ve spent the last week compiling around ~675 publicly available CS courses from around 20 colleges. Of those, there are 23 networking and network-based courses, which span from introductory to pretty advanced!
Hopefully you can get some use out of it. :)
What does an fping output like [<-x.y.z.w]x.y.t.m mean?
Trying to get an inventory of active devices on a newly acquired network, using $ fping -gas network/mask, and some of the results come back in the form of $subj (e.g. [<-10.1.4.2]10.1.4.3). I thought of these being some sort of HSRP/VRRP info (have not received diagrams or devices config yet), but some of these come back "far distanced", vs a normal redundancy config (where one would expect x-1, x, x+1?!?), e.g. [<- 10.1.5.10]10.1.3.255, which looks odd ...
Can I use an eero pro WiFi system, off a cable modem, and a 3750 to feed the clients hard wired devices?
Trying to fight out the best approach to using these three devices, without having to buy new equipment.
IP address
Hi i went on what is my ip address and it shows wrong location. I restarted my internet and changed my ip but its still showing the same wrong address is this normal or do i need to worry about anything.
Trying to learn outside of school
I’m looking to continue networking over the summer and was wondering if there are any good resources out there to continue on from an intermediate level?
Where does Cisco Systems(or Staffing agencies) list their Contractor(red badge) jobs?
Seems like Cisco Wins Potential $1.2B DO Software Support IDIQ worth of contract from government and they are one of the biggest Gov contractors overal.
I was wondering who do they hand out their contracts to? are they Cisco Gold Partners usually or through staffing agencies you will become a Cisco Red Badge Employee?
I am a CCIE and specialized in SP and Security
I am trying to work in these projects, there is a lot to learn...
aside from my first question, where do these red badge Cisco contractors find those openings, since there are no permanent network engineering jobs listed on the cisco.com website.
thx
How to route traffic from another router/gateway?
I’m doing a pentest and have ran an nmap scan which produces the following (the .85 IP is from gaining access to the server 1 machine and seeing it as it’s gateway):
Router/Gateway 1 - 192.168.193.85 Linux PC (mine) - 192.168.193.70 Windows server 1 - 192.168.193.211 Windows server 2 - 192.168.193.212 FTP server - 192.168.193.14
I have another IP on the network which is 192.168.193.4. No information about open ports/OS etc on it; same went for the router/gateway 1. I’m assuming the 192.168.193.4 IP is also another router. How can I gain access to the network behind that router? Thanks
WTI Wireless device
Hey everyone,
Finding this place now looking for some help on a network device. I’m dealing with a WTI 1200 failover router. This customer is using it as their main network, which in theory isn’t an issue, but just providing context. It has worked for the last 9 days after installation, but as of this morning is not providing internet to the network. The net light is blinking red, and port it is connected to in the switch is not being lit up. My IT department is stumped on this one, as these devices are fairly new to us
Data Science for Computer Networks. Where should I start?
My boss wants me to do computer network analysis. However, I have never done it before and I only have a math background. I have a good command of R and Statistics. Please help me with ideas and learning material.
I just bought the book I just bought the book Network Security Through Data Analysis: From Data to Action, by Michael Collins. If you go to the index of the book (the index is on Amazon), Part 3 is Analytics (Starts on page 199). The index shows a list of all possible analytics for computer networks.
My only experience was with delay analysis, jitter analysis, UDP vs TCP.. In other words, not too much.
I would say that the general question that we are trying to answer is if our computer network is healthy.
I have time to learn. And, I am planning to subscribe to O'Reilly that give you access to millions of books and videos. I have seen that they have an area called cybersecurity analyst. Please let me know if EDX, Coursera, or any other MOOC that can help me. In advance, thank you for your help!
Giga sized Troubles
My name is George and I am a EE major graduating in December.
The plan for my senior project is to construct a working, very high-security, and high bandwidth fiberoptic network.
I have purchased consumer gear from ubiquity, but it can only get me so far.
I am planning on using a 144 fiber OS2 8.3 um plenum cable for multiple 10 gb/s connections modeling a backbone.
For high this high-security network I would like to have full visibility of network traffic and logs for a possible ML application in Python.
I am currently working on SFP+ module compatibility and making custom cables.
I have been unable to find any of the Gigamon software tools on the open web and I will not be able to make this project work without them.
I have contacted Gigamon several times with only one response from a low-level sales rep offering a demo.
In your collective experience is there any way to use this gear without the software?Is there a downgraded version of the software somewhere out there?
I have currently acquired from ebay:
5X GigaVUE-2404
1X GigaVUE-420
1X GigaVUE-HB1
I think everything is in end of life and I just wanted to reach out as a last-minute hail mary to see if anyone is able to help.
Edit 1: This is an educational project with Kennesaw State University and I would only need licenses until the end of the year if that helps.
https://drive.google.com/file/d/1Wn-0MpCECHcqHs0ADeTtjeHrrhH5lAgr/view?usp=sharing
FS.com switches any good?
I’ve been using FS.com for optics and fibres for years, but never dabbled in any of their kit that’s capable of making decisions. Does anybody have experience with their switches? I’m mainly looking at their entry level “L2+” switches for a small internet aggregation / access network. The only basic requirements are STP and Lag/MLag support, and ACLs to protect the management plane. And cheap.
Force all traffic through vpn
Goal: force all traffic through VPN only.
Client: Windows in VM
VPN: OPENVPN
I delete the 0.0.0.0 route in the client. I make a route for the destination of my VPN server with my LAN default gateway as the gateway (192.168.1.1). So, in practice when I turn on openvpn, it attempts to connect to the server IP which has a route through my local LAN gateway, which would result in a connection and a new VPN connection established. And when the VPN connection drops, all traffic stops.
However, I am unable to connect to the VPN server. I was able to replicate the same scenario in softether, but not openvpn. What am I doing wrong?
Friday, June 18, 2021
Access Point recommendation
Hello, I need an indoor access point with high gain antennas, Gb port, 5GHz is not strictly needed and it must support supply over 802.3af/802.3at. I am unable to find any access points that cover my needs. Maybe someone has some good recommendations for me?
Why doesn't Cisco account for the FCS?
Some context here: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_plcshp/configuration/xe-17/qos-plcshp-xe-17-book/qos-plcshp-ether-ohead-actg.html
I have a 50mbit circuit with an ISP (L2 MPLS) but the bearer is 100mbit. We pay for the 'L2 rate' apparently.
I get that there's ethernet overhead that needs added but I would class it in three ways:
-
Layer 1 stuff: 8 bytes of preamble to sync coms, 1 byte of Start of frame delimited and 12 'bytes' of idle state between transmissions:
-
Layer 2 stuff: Source/Dest Mac, Ethertype and FCS
-
Layer 3 stuff: Frame payload e.g. the L3 packet.
So when they say they shape at the L2 rate I expect that my QoS policy can ignore 20 bytes per packet (L1 stuff above) and therefore can be built accounting for the L2 overheads only but when i look at what cisco accounts for by default i get this:
- Source/Dest mac = 12 bytes
- Ethertype = 2 bytes
- FCS = 4 bytes
So 18 bytes of overhead exist for each packet. But the Cisco documentation says that they only account for Source/dest mac and Ethertype - So 14-bytes in my scenario.
So why did Cisco ignore FCS in their calculations?
Can you CIDR a windows DHCP scope?
I have a scope I was to chisel out with vlans. It’s a /22 single network.
0.1-3.254, can I split different sites into separate vlans based on that individual scope?
Domain user log into Cisco wi-fi automatically
Hi,
I want to achieve that the domain user bypass the Cisco wi-fi log in when they are log into domain laptops in office. The Cisco wifi Access Point has installed the internal CA issued certificate. According to Cisco document, user will need to install user certificate issued by the CA server on their computers.
How can I achieve it? Please help!
Thanks,
New to Networking; wondering if I could get some pointers
I just started working with a new company doing networking on the side. I work in IT for a company with 6 locations, managed switches etc but I dont do most of that, I’m just familiar with it. This is my first time configuring a network on my own.
This network was setup by Spectrum initially. There is a patch panel and switch, then connected to the switch is a Cradlepoint AER1650LP4 (no wifi capabilities). The Cradlepoint is connected to a Technicolor TC8715D Router/Modem combo and has a split coax with another Spectrum ET2251 Modem.
The company has about 10-12 computers, and it varies if theyre hardwired or on wi-fi. They also have about 10 Ethernet Phones. Currently, the two routers are on seperate subnets and cant communicate. I was wondering if anyone could point me in the right direction.
Do they need both Modems? Would it be better to replace the others with only 1 router/modem combo and run a seperate router upstairs in bridge mode or a Wi-Fi repeater?
I realize the Wi-Fi and Ethernet were separated for security purposes. Can this be achieved in other ways?
Thank you for reading.
ISP Physical Network Topology
Where does one go to find a consulting company for designing a network for a neighborhood or city? Essentially the physical topology.
I have researched but can't find much information or consulting companies that offer these types of services. Maybe my google-fu is off.
I have talked with companies who do boring for larger ISPs but they do not design the physical topology. I am not sure who else to ask.
Any help would be greatly appreciated.
Looking for the right solution to replace internal MPLS & VPN routers with something more publicly accessible to get less "on-prem"
Hi all, I'm just in the beginning stages of some brainstorming and research..
I work IT at a very small financial institution and we have had a pretty on-premises-centric infrastructure for the last 10 years (most everything had been on-site such as AD, Exchange, SQL servers, other systems) but now the last 3 years we have had more and more services pulled out and going hosted and we've significantly reduced server hardware quite a bit.
One of the things that has stuck around are our connections to our main 3rd party vendor's datacenter, of which there are two gateways: 1, a primary MPLS router connected to private fiber lines; and 2, a failover VPN router which goes over one of our Internet connections. These physical connection points exist inside the building and therefore tie us to the building in that if users need to work remote, they must first remote into the company's environment from a company provided laptop to their individual company workstation (we use Citrix VDA) and then from there, they access the apps which connect to the datacenter.
What I am trying to figure out is if there is a common solution/implementation which would bring those connection points out of the building to be accessible over the Internet. My thought is that I would like to free up the dependency on connecting into the company's internal network before being able to access the apps that access the remote datacenter. This would eventually get rid of the 1:1 ratio of laptop to PC, and have people just be able to use one system (laptop or PC) if necessary, and be able to securely access everything over the internet.
Also, if the building burns down, people will still have access to all services.
Edit: I suppose the main thing would be checking what access methods the vendor actually supports, but I also am just trying to figure out what specific things to ask for so I get us heading down the right path.
Edit 2: wild shot in the dark, I assume I just need to ask if they support a public VPN connection, web-based, so there is no hardware necessary.
Help me HP Engineers
First off...I am coming in to a new HPE environment after working for years in a strictly Avaya/Extreme and some Aruba environment. CLI commands are a bit different between the two. I have purchased a new HP FlexNetwork 5130 Fiber switch which I want to use to split our 2 primary 1G fiber feeds in two. I have one Primary from Lumen, with a secondary backup from Comcast. I need top split these at the Core Switch, into 2 each, then feed the 2 Sonicwall 5650s that I have, one primary one HA. I was wondering if someone could take a look at my setup, and possibly 'help' me along with some initial configs or at least tell me if I am way off base. Id imagine all i need to really do is IP the switch obviously, but have both fiber feeds on 2 separate VLANs. I just have no idea where to begin with the config commands. Any help is greatly appreciated!
Link to picture of diagram below
Is there a name for mesh networks with nodes that each handle their own DNS, DHCP, and other services?
I’m looking to learn more about what I assume is a subset of mesh networking where each individual node hosts a DNS and DHCP server. Preferably, if one node was operational it could handle all the services the clients expect, but if multiple nodes were up I would like the DNS and other services to be replicated throughout the nodes.
Is there a name for this type of network or a place I could find documentation on best practices? Is it even possible to do this in a decentralized manner without some sort of controller coordinating the synchronization of the data held at each node?
Thanks everyone!
Need help with SNMP user setup
Hey guys, my buddy setup an snmp user on an asr1006 that someone built 3 years ago but never moved to prod. The password for the used is encrypted in md5. Trying to figure out the best approach to figure out the password so it can set it up on sevone
Cisco Callmanager disable Pickup Group
Hi there,
We have a Pickup Group configured in our CallManager that we would like to replace with a Hunt Pilot.
Is there a way to disable (not delete) the Pickup Group to test if the Hunt Pilot works properly?
QSFP+ SR BiDi vs QSFP+ LX4 transceivers
What is the advantage of QSFP+ SR BiDi over QSFP+ LX4, when we want to use MMF?
Huge undocumented network, need some pointers
Hi everyone,
im sitting in a kind of mess and would need some pointers on where to start. So, i got hired to do networking work at a company. Network is kind of big, multiple locations interconnected, probably about 50 something switches, some 30 vlans. Now here is my problem, nothing seems to work as expected. The switches are mostly managed, but nothing much seems to be configured in terms of security, Qos, Routing or anything like that. Theres no firewalls and its not connected to the internet (thank god). No protocols are blocked. Most of the switches are connected via fibre to a stacked core-switch. Since this is a switched network, i would expect all devices in the same subnet and vlan to be able to ping eachother, right? Unfortunately, wrong! Depending on where I am plugged into the network (i.e. different switches) I get connected to a different set of ip addresses. From some points I might see all of the other switches (right now im only investigating mgmt vlan, I dont think im ready yet to see what the other vlans might be doing), while from some points i might only reach a hand full. On top, if I log in to the switches (ssl or web) and use the ping directly from that switch, I get yet another set of pingable ips and reachable devices.
Obviously, since the network was planned by some contractor 12 years ago and built by some other contractor about 10 years ago, they didnt even have a department responsible for keeping care of it. Also, not really anything other than cable plans exist, no documention of the network structure whatsoever.
So, if you could give me some pointers or ideas about where to start making sense of this huge, historically grown and intrinsically warren network, that would really be a huge help. I've started setting up a monitoring solutions, which I hope will give me some further insight into what is happening. You've got any ideas where the weird ping problems seem to stem from?
Thanks a bunch for helping me find light in this mess!
EDIT: mostly spelling
Need kind a VPN-solution
Hi,
We are a machine building company, and I am look for a way to remotely log-in to our machines. There are devices for that (we've used EWON for that).
However we do not install such a device in every of our machines, but what we do have in every automation, is a Windows PC.
Let me explain a little bit :
Our machines typically consist of a simple local network with fixed IP's, no router/DHCP. In that network you'll find a PLC, robot, camera, printer,... and also a Windows 10 PC. Via this "machine network", the devices can communicate and the equipment can work.
However we always put an 2nd NIC in the Windows PC, so that it has access to the company network. By using this 2nd NIC, the 'machine network' remains isolated and invisible from the company network. The Windows PC is typically used for logging, SQL-communication, and we also put teamviewer on it for remote assistance.
So this would be my question : If we want to edit the PLC-code on the PLC that is on the 'machine network', we need to put the PLC development software on the local machine-PC, so that it can connect to the PLC. Or we connect a laptop the the machine switch, so that it can see the PLC.
We were wondering if there is a way to have laptop in our office, dial in to a VPN-server on the local windows PC, and use this connection to connect to the machine network and the PLC.
So to use the machine-Pc as a gateway to connect remotely to any device on the local machine network.
The problem is that a regular (built-in PPTP, I know : old, don't use it) VPN server in Windows is blocked by the company firewall. So we can't just setup a VPN-server without going through the IT-department of the customer. We would like to avoid this, by using only outgoing connections (typically not blocked).
So I tried to use the Teamviewer VPN. Teamviewer has a built-in VPN-client and server, and is accessible behind a company's firewall.
So now I have a situation that I can connect my laptop from our company, to the VPN server on the machine PC at the customer. However my laptop gets an IP in the Teamviewer VPN-subnet, and cannot ping the machine network.
So I then need to bridge the VPN connection to the first physical NIC on the PC, right? But we are not succeeding in this.
Do you guys perhaps have a more elegant solution?
Thomas.
Changing EIGRP delay doesn't change routing zero's route
I have two ASR 1002X's that connect to a Cisco catalyst C3850-12XS. Each ASR is connected to a different ISP. All 3 devices use EIGRP for routing. ISP1 ASR has delay of 1000, ISP2 ASR delay 1500.
Needed to manually failover from ISP1 to ISP2, so I changed the EIGRP delay to be 2000 across the ISP1 connected devices. EIGRP did not failover to ISP2? What can I do that is non-evasive to force EIGRP routing change? Would clearing routes or resetting EIGRP drop current connected outbound users?
We have similar setup across several sites, but we are using Cisco 2900 routers and Cat 3750E connecting to two different ISP's on those sites. all running 15.x IOS code. When we change the delay on ISP1, it always forces traffic out ISP2 on those sites.
Thanks
Thursday, June 17, 2021
ISP and VLANs
Hello -
I need to order and install Internet Dedicated services to a remote 3rd party location where the service will be extended via physical cross connect into one of their switches. The requirement is that the incoming traffic into their switch needs to be tagged wither .1q or .1ad. Has anyone run into issues with their ISP in being able to pass/allow tags across the service?
Is it just a matter of making sure the ISP checks a box per se to allow this on a Layer 3 Internet service? The presumption is the handoff to the remote end will be 1G Ethernet.
Thanks!
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Pool rated Ethernet cable for AP
I am going to be installing an AP in our natatorium to provide some WiFi access. I’ll be installing an outdoor rated AP but what I’m more worried about is the Ethernet cable. Looking to get an Ethernet cable that is rated waterproof or that can handle some harsh chemicals. Any ideas on what to do and how to really seal the end to make sure it doesn’t corrode?
Punch down tools
Kind of a simple choice to make, but looking to buy a punch down tool for keystones. Anyone have any favorites, they all seem to be about the same but seem to vary widely in price.
Need help with Trunk between 2 different switch
Hi expert,
I got an fiber link between 2 offices configured in Trunk mode. On one site I got an Dell 5548 and on the other side a Cisco 2960X. Each port are configure in trunk on these vlan: 5,10,40,50,80,90,111. But the vlan 111 do not route by the link. I cant ping item on vlan 111 between the 2 network. But for the other vlan all work good.
How I can diagnose that? I try to check some log or date on the Dell CLI for the port facing the fiber link, but I am not verry familiar with these switch.
Any idea?
Vipetla/vEdge - tunnel-interface command on all VPN numbers apart from VPN0
I'm new to SD-WAN and just playing around as I study - Using a home dedicated server with EVE-NG installed
If I assign an interface (eg ge0/0) to VPN0, it lets me use the tunnel interface command:
vEdge20(config)# vpn 0 vEdge20(config-vpn-0)# interface g0/0 vEdge20(config-interface-g0/0)# ip address 20.20.20.20/24 vEdge20(config-interface-g0/0)# tunnel-interface vEdge20(config-tunnel-interface)# encapsulation ipsec vEdge20(config-tunnel-interface)# If I assign an interface to VPN10, it doesn't let me use the tunnel interface command:
vEdge20(config)# vEdge20(config)# vpn 0 vEdge20(config-vpn-0)# no interface ge0/0 vEdge20(config-vpn-0)# exit vEdge20(config)# vpn 10 vEdge20(config-vpn-10)# interface ge0/0 vEdge20(config-interface-ge0/0)# ip address 20.20.20.20/24 vEdge20(config-interface-ge0/0)# tunnel-interface ---------------------------------^ syntax error: unknown command vEdge20(config-interface-ge0/0)# I have tried keeping ge0/0 on VPN and using ge0/1 for VPN 10 but have the same issue.
I have tried googling around and not found anything. Am I fundamentally missing something?
[META] Navigate through 3gpp's specifications
Hello guys,
Currently at my work, I must understand the 3gpp's 5G Core Network. Since my background was not in telecom, I have a hard time to find information among the sea of specification. From your experience, could you mind sharing with me some of your tips to navigate through those documents? I imagine that there exists some patterns when you need some information specific for example SMF/UPF and their protocols, I could find the related documents and section quickly.
P/s: I am not familiar with all terms in telecom. And the search engine on 3gpp's portal is not great or maybe I doesn't know how to pick the right query.
Policy Based VPN - Same Encryption domain on tunnels to 2 sites
We have a customer who wishes to tunnel to us using an active/standby (2 VPN endpoints, 1 encryption domain) policy based VPN tunnel from one datacenter of theirs, to 2 datacenters of ours.
We reverse route inject our policy based tunnels then redistribute the static routes into bgp. With this customers request, our network would have 2 bgp route entries to the customer, with only one of them being viable at any given time depending on which tunnel (Site A or Site B) is active at that particular moment in time.
Is there anyway with policy based VPNs to essentially withdraw routes for tunnels that are down, or some other clever trick I can use to have my networks route back to the customer only through the site with the active VPN tunnel?
All VPNs involved are Cisco ASAs. Appreciate any opinions, and let me know if I can answer any questions.
Cisco ASA5516 Input errors
ASA5516. Getting input errors about every 10-20sec. The device was up for about 100 days before we noticed that it killed the network speed. Rebooted the device and it cleared it up for now. Any advice for trying to figure out the cause of the errors?
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off MAC address x, MTU 1500 IP address x, subnet mask 255.255.255.0 420104542 packets input, 429238268656 bytes, 0 no buffer Received 14509239 broadcasts, 0 runts, 0 giants 26821 input errors, 0 CRC, 26821 frame, 0 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 250519518 packets output, 177349647630 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 1124 output reset drops input queue (blocks free curr/low): hardware (1959/1820) output queue (blocks free curr/low): hardware (2047/886)
show blocks SIZE MAX LOW CNT 0 1450 1435 1450 4 500 498 499 80 2249 2187 2249 256 6148 6113 6143 1550 8780 8669 8777 2048 4400 4399 4400 2560 2788 2788 2788 4096 100 100 100 8192 100 100 100 9344 100 100 100 16384 154 154 154 65536 16 16 16 cpu-hog
Cisco Adaptive Security Appliance Software Version 9.13(1) ASLR enabled, text region 55f147c52000-55f14c62bd25 Process: CP Midpath Processing, PROC_PC_TOTAL: 2, MAXHOG: 1, LASTHOG: 1 LASTHOG At: 10:56:24 CDT Jun 14 2021 PC: 0x000055f148e87b65 (suspend) Process: CERT API, PROC_PC_TOTAL: 2, MAXHOG: 3, LASTHOG: 3 LASTHOG At: 10:56:24 CDT Jun 14 2021 PC: 0x000055f14a1fae88 (suspend) Process: Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 4, LASTHOG: 4 LASTHOG At: 10:57:49 CDT Jun 14 2021 PC: 0x000055f14a5c784d (suspend) Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 4, LASTHOG: 4 LASTHOG At: 10:57:49 CDT Jun 14 2021 PC: 0x000055f14a5c784d (suspend) Call stack: 0x000055f148888633 Process: CP Processing, PROC_PC_TOTAL: 1, MAXHOG: 19, LASTHOG: 19 LASTHOG At: 11:08:15 CDT Jun 14 2021 PC: 0x000055f148e87175 (suspend) Process: CP Midpath Processing, NUMHOG: 5, MAXHOG: 19, LASTHOG: 19 LASTHOG At: 11:08:15 CDT Jun 14 2021 PC: 0x000055f148e87b65 (suspend) Call stack: 0x000055f1488885fb Process: tmatch compile thread, PROC_PC_TOTAL: 3, MAXHOG: 1, LASTHOG: 1 LASTHOG At: 12:49:49 CDT Jun 14 2021 PC: 0x000055f148cedd1c (suspend) Process: tmatch compile thread, NUMHOG: 3, MAXHOG: 1, LASTHOG: 1 LASTHOG At: 12:49:49 CDT Jun 14 2021 PC: 0x000055f148cedd1c (suspend) Call stack: 0x000055f148cedd1c 0x000055f1488885fb Process: Unicorn Proxy Thread, PROC_PC_TOTAL: 1, MAXHOG: 1, LASTHOG: 1 LASTHOG At: 13:59:43 CDT Jun 14 2021 PC: 0x000055f1491a8f7c (suspend) Process: Unicorn Proxy Thread, NUMHOG: 1, MAXHOG: 1, LASTHOG: 1 LASTHOG At: 13:59:43 CDT Jun 14 2021 PC: 0x000055f1491a8f7c (suspend) Call stack: 0x000055f148889145 0x000055f1491a8f7c 0x000055f1489054ff 0x000055f14aa27a7b 0x000055f14aa2ae0b 0x000055f14883c47f 0x000055f1488a6a40 0x000055f1488aa090 0x000055f14889f610 0x000055f1488a0ddd 0x000055f1488a10ce 0x000055f14ad1c078 0x000055f14a7ab112 0x000055f14a7bc1fd Process: Unicorn Proxy Thread, PROC_PC_TOTAL: 2, MAXHOG: 2, LASTHOG: 2 LASTHOG At: 23:45:56 CDT Jun 14 2021 PC: 0x000055f14a653b6f (suspend) Process: Unicorn Proxy Thread, NUMHOG: 2, MAXHOG: 2, LASTHOG: 2 LASTHOG At: 23:45:56 CDT Jun 14 2021 PC: 0x000055f14a653b6f (suspend) Call stack: 0x000055f14a653b6f 0x000055f14a672b62 0x000055f14a675210 0x000055f14a7be9b3 0x000055f14a7bcf29 0x000055f14a7b0253 0x000055f14a7b177e 0x000055f14a7b2643 0x000055f14a7b3bde 0x000055f14a7b5536 0x000055f14a7b3d4f 0x000055f14a7b6013 0x000055f14a7aae85 0x000055f14a7aab0a Process: IKEv2 Daemon, PROC_PC_TOTAL: 5, MAXHOG: 3, LASTHOG: 3 LASTHOG At: 05:19:59 CDT Jun 15 2021 PC: 0x000055f1489d74d9 (suspend) Process: IKEv2 Daemon, NUMHOG: 5, MAXHOG: 3, LASTHOG: 3 LASTHOG At: 05:19:59 CDT Jun 15 2021 PC: 0x000055f1489d74d9 (suspend) Call stack: 0x000055f148abefd8 0x000055f1489e455f 0x000055f14928f5ed 0x000055f149304101 0x000055f1492fdbde 0x000055f14930159f 0x000055f1492e3615 0x000055f1492ecae0 0x000055f1492ecff5 0x000055f1492f71b6 0x000055f1492f7bb4 0x000055f149342d41 0x000055f1492cff30 0x000055f1488885fb Process: Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 4, LASTHOG: 4 LASTHOG At: 13:12:02 CDT Jun 16 2021 PC: 0x000055f14903199b (suspend) Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 4, LASTHOG: 4 LASTHOG At: 13:12:02 CDT Jun 16 2021 PC: 0x000055f14903199b (suspend) Call stack: 0x000055f14903199b 0x000055f1490262b7 0x000055f149f6e5a8 0x000055f1490ea072 0x000055f1490d83a7 0x000055f1490da001 0x000055f1490daa6f 0x000055f1490e657e 0x000055f1488885fb Process: Unicorn Proxy Thread, PROC_PC_TOTAL: 14, MAXHOG: 3, LASTHOG: 1 LASTHOG At: 10:35:55 CDT Jun 17 2021 PC: 0x000055f14a680530 (suspend) Process: Unicorn Proxy Thread, NUMHOG: 14, MAXHOG: 3, LASTHOG: 1 LASTHOG At: 10:35:55 CDT Jun 17 2021 PC: 0x000055f14a680530 (suspend) Call stack: 0x000055f14a680530 0x000055f14a6532ca 0x000055f14a659b39 0x000055f14a659c38 0x000055f14bcd342a 0x00007fab59ea8658 0x00007fab595b4b00 0x00007fab595b5300 0x00007fab595b5400 0x00007fab595b5500 0x00007fab595b5600 0x00007fab595b5700 0x00007fab595b6b80 0x00007fab595b6c80 Process: rtcli async executor process, PROC_PC_TOTAL: 8, MAXHOG: 2, LASTHOG: 2 LASTHOG At: 12:57:50 CDT Jun 17 2021 PC: 0x000055f14a652b6a (suspend) Process: rtcli async executor process, NUMHOG: 8, MAXHOG: 2, LASTHOG: 2 LASTHOG At: 12:57:50 CDT Jun 17 2021 PC: 0x000055f14a652b6a (suspend) Call stack: 0x000055f14a652b6a 0x000055f14a659b39 0x000055f14a659c38 0x00007fab6ace29e0 Process: ssh_init, NUMHOG: 11, MAXHOG: 6, LASTHOG: 6 LASTHOG At: 13:08:22 CDT Jun 17 2021 PC: 0x000055f14a557b70 (suspend) Call stack: 0x000055f14a56dd52 0x000055f14a56cdea 0x000055f14a56af35 0x000055f14a56bca8 0x000055f14a561312 0x000055f1488885fb Process: ssh_init, PROC_PC_TOTAL: 77, MAXHOG: 6, LASTHOG: 2 LASTHOG At: 13:13:51 CDT Jun 17 2021 PC: 0x000055f14a557b70 (suspend) Process: ssh, NUMHOG: 66, MAXHOG: 2, LASTHOG: 2 LASTHOG At: 13:13:51 CDT Jun 17 2021 PC: 0x000055f14a557b70 (suspend) Call stack: 0x000055f14a56dd52 0x000055f14a57010a 0x000055f14a55e8aa 0x000055f14a55f04d 0x000055f149f3702f 0x000055f14b17a13f 0x000055f148964915 0x000055f1489510ae 0x000055f148952257 0x000055f1488885fb Process: DATAPATH-0-1603, PROC_PC_TOTAL: 882, MAXHOG: 7, LASTHOG: 4 LASTHOG At: 13:20:50 CDT Jun 17 2021 PC: 0x0000000000000000 (suspend) Process: DATAPATH-0-1603, NUMHOG: 879, MAXHOG: 7, LASTHOG: 4 LASTHOG At: 13:20:50 CDT Jun 17 2021 PC: 0x0000000000000000 (suspend) Call stack: 0x000055f148d4fa8a 0x000055f14a27b187 0x000055f14a28a8ac 0x000055f14a29a5d8 0x00007fab8f9803d4 Process: DATAPATH-1-1604, PROC_PC_TOTAL: 854, MAXHOG: 26, LASTHOG: 2 LASTHOG At: 13:20:50 CDT Jun 17 2021 PC: 0x0000000000000000 (suspend) Process: DATAPATH-1-1604, NUMHOG: 851, MAXHOG: 26, LASTHOG: 2 LASTHOG At: 13:20:50 CDT Jun 17 2021 PC: 0x0000000000000000 (suspend) Call stack: 0x000055f148d4fa8a 0x000055f14a27b187 0x000055f14a28a8ac 0x000055f14a29a5d8 0x00007fab8f9803d4 CPU hog threshold (msec): 1.542 Last cleared: None block exhaustion snapshot
Snapshot created due to 0 blocks running out LOW, CNT columns indicate interface pool blocks GLB prefixed columns indicate global pool blocks TXQLEN column indicates number of blocks in transmit ring Interface TXQLEN Core local blocks information: CORE LIMIT ALLOC HIGH CNT FAILED 0 0 0 0 0 0 1 0 0 0 0 0 Histogram of 'ASP load balancer queue sizes' 64 buckets sampling from 1 to 65 (1 per bucket) 0 samples within range (average=0) <no data for 'ASP load balancer queue sizes' histogram> Data points: bucket[1-1] = 0 samples bucket[2-2] = 0 samples bucket[3-3] = 0 samples bucket[4-4] = 0 samples bucket[5-5] = 0 samples bucket[6-6] = 0 samples bucket[7-7] = 0 samples bucket[8-8] = 0 samples bucket[9-9] = 0 samples bucket[10-10] = 0 samples bucket[11-11] = 0 samples bucket[12-12] = 0 samples bucket[13-13] = 0 samples bucket[14-14] = 0 samples bucket[15-15] = 0 samples bucket[16-16] = 0 samples bucket[17-17] = 0 samples bucket[18-18] = 0 samples bucket[19-19] = 0 samples bucket[20-20] = 0 samples bucket[21-21] = 0 samples bucket[22-22] = 0 samples bucket[23-23] = 0 samples bucket[24-24] = 0 samples bucket[25-25] = 0 samples bucket[26-26] = 0 samples bucket[27-27] = 0 samples bucket[28-28] = 0 samples bucket[29-29] = 0 samples bucket[30-30] = 0 samples bucket[31-31] = 0 samples bucket[32-32] = 0 samples bucket[33-33] = 0 samples bucket[34-34] = 0 samples bucket[35-35] = 0 samples bucket[36-36] = 0 samples bucket[37-37] = 0 samples bucket[38-38] = 0 samples bucket[39-39] = 0 samples bucket[40-40] = 0 samples bucket[41-41] = 0 samples bucket[42-42] = 0 samples bucket[43-43] = 0 samples bucket[44-44] = 0 samples bucket[45-45] = 0 samples bucket[46-46] = 0 samples bucket[47-47] = 0 samples bucket[48-48] = 0 samples bucket[49-49] = 0 samples bucket[50-50] = 0 samples bucket[51-51] = 0 samples bucket[52-52] = 0 samples bucket[53-53] = 0 samples bucket[54-54] = 0 samples bucket[55-55] = 0 samples bucket[56-56] = 0 samples bucket[57-57] = 0 samples bucket[58-58] = 0 samples bucket[59-59] = 0 samples bucket[60-60] = 0 samples bucket[61-61] = 0 samples bucket[62-62] = 0 samples bucket[63-63] = 0 samples bucket[64-64] = 0 samples DP-CP EVENT QUEUE QUEUE-LEN HIGH-WATER Punt Event Queue 0 0 Routing Event Queue 0 0 Identity-Traffic Event Queue 0 0 PTP-Traffic Event Queue 0 0 General Event Queue 0 0 Syslog Event Queue 0 0 Non-Blocking Event Queue 0 0 Midpath High Event Queue 0 0 Midpath Norm Event Queue 0 0 Crypto Event Queue 0 0 HA Event Queue 0 0 Threat-Detection Event Queue 0 0 SCP Event Queue 0 0 ARP Event Queue 0 0 IDFW Event Queue 0 0 CXSC Event Queue 0 0 BFD Event Queue 0 0 SFR Event Queue 0 0 Cluster Event Queue 0 0 CP-DP EVENT QUEUE QUEUE-LEN HIGH-WATER Dispatch Global Work Queue 0 0 block snapshot count is 0 Expected traceroute behavior across unequal length multiple paths
I'm helping to troubleshoot what I believe to be a red herring. The scenario is that a customer is complaining that traceroute to 8.8.8.8 doesn't always terminate at the destination node. Often, the last hop listed in the traceroute output is a combination of 8.8.8.8 and one or more Zayo IPs at the Google peering edge. If I use '-q 1' to force traceroute to use a single probe rather than the default three, it always completes at 8.8.8.8, but the hop count varies from 5 to 7, depending on the path for that particular probe.
I guess what puzzles me is more a question of expected traceroute behavior. It appears that a default traceroute is terminating any time one of the three probes end at the destination node. I would hope that each probe would continue to completion, even with paths longer than the minimum. Should I expect that traceroute always ends any time it receives a response from the destination, or when all probes finish successfully? As with all things, I wouldn't be surprised if the answer is "it depends", lol.
Edit: Clarity
Domain Name Formatting Confusion
When correctly making a domain name line up with a file on a server from what I understand I have 2 formatting options.
1: www.example.com/server/folder/file
2: www.server.example.com/folder/file
My question is this. When is the proper time to put a file/end goal page as a second level, third level domain. Or put everything after the top domain? I have tried to research the proper way to do this but I am struggling to know the name for everything after the .com "/server/folder/file"
[Theory] MAC Address … Networking?
I was thinking about the fundamentals of Networking, and it occurred to me that the purpose of a protocol like ARP is simply to find out what IP Address is assigned to a Host with MAC Address XX:XX…
This protocol literally seems to exist to help facilitation between Layer 2 and Layer 3.
I understand that we cannot in theory give every single Host in the world a unique IPv4 Address, but if every single MAC Address is unique in the world, why wasn’t Networking built upon Network communication (across the LAN/WAN/MAN) using MAC Addresses?
Is it simple because numbers are easier for machines to handle?
Licensing
Good morning,
Are there any good resources for licensing terms with cost associated with them? I've been researching, and couldn't find anywhere to find cost. Not on their websites, or reddit, or anywhere else.
I'm trying to build out a quote for Cisco, Aruba, and Juniper. But only am missing licensing.
Thank you
Sanity-Check for network upgrade
Hey Guys, I'm quite new to the field of networking, especially in the "not consumer" segment but I'm responsible for the infrastructure of a student dorm with ~100-200 Students. We are completely self organized and apparently I have the most knowledge of networks, so here I am.
We've got a bit of money and want to upgrade our old hardware as some of it is decades old. Because I learned most of what I know by myself and never received any form of training I would like to get some feedback on my upgrade plans.
First our current setup:
We have a 1GBit Fiber connection to our ISP that is connected to our old Router/Firewall/Web-/Mailserver. This thing is ancient and nobody really knows who set it up or how. It was used as our one server for everything and is therefore cluttered like crazy. We have moved pretty much all services away except DHCP server and Firewall. The Firewall is an iptables script which also does a lot of NATing.
The next hop is our Core switch: A Cisco Catalyst 3650 series device. Connected to that are our somewhat new Servers, which are running Proxmox with all services (Web, Mail,...) virtualized and a Ceph instance. They are connected with a 1Gbit Link to the Core switch. There is also a second switch that is only connected to the servers with 3 Cables each. I think it was supposed to be an aggregated Link so that they can communicate with 3Gig between themselves, but I don't know if that was configured correctly. Anyway Ceph is really slow and everything is pointing to bad connectivity between the nodes.
There are 2 cables from our server room to each floor. They are labeled as CAT-5 but have shielding and foil, so they are probably more like CAT-6 or 7 but again decades old. They can transmit gigabit fine however. One of those cables is used to connect an old Netgear 100Mbit switch on each floor to the core switch. The end users and Wi-Fi APs are connected to these Netgear devices.
Now my Upgrade-Plan:
We do not have much money and construction work is tedious due to fire safety regulations, so we only want to upgrade the hardware. So no new cables through walls or anything like that.
We can upgrade our Fiber connection to 10GBit. We basically only need to buy a new SFP+ module/NIC.
I really want to replace the old Router and I am thinking of building a firewall that is capable of 10GBit/s throughput. I wanted to use pfSense or OpenSense for it and some secondhand server hardware with a dual SFP+ NIC.
The Core switch should be replaces with a device with 2 10Gbit Links. One for the uplink to the firewall. I want to put a 10Gig NIC in every Server and connect them to a 10Gig Switch which is then connected to the second 10G Port of the new Core Switch. This should speed up Ceph. I'm thinking of either a Netgear switch with RJ-45 Ports or one from Mikrotik with SFP+ and use Copper DACs to the servers. Not sure which.
We got a really good deal on more Cisco Catalyst 3650 switches that we want to put in every Floor. Then we want to use both cables to have an aggregated 2 GBit link each.
That's my plan so far but I have some specific questions:
- We have an old Cisco Catalyst 2960 S Switch lying around that has the 2 10Gbit ports we want for our new core switch. If I understand it correctly it is no longer supported by Cisco though. Can we still use? What exactly means end of life for Cisco devices? They don't get any updates, but is that so bad? Or do we need to buy a new device?
- What kind of hardware do we need to achieve 10Gig throughput on a firewall? Is that even possible without spending thousands of dollars? I could only find firewall devices for 1 Gig, hence why I want to build one myself.
- Which OS would you recommend for the Firewall? I've heard that pfSense is quite good, but they apparently implemented Wireguard super fishy or something and now people say to use OpenSense?
- Would you rather use ordinary Ethernet cables to connect the Servers to their new Switch or Copper DACs? Price is pretty similar and we need to buy new NICs for them anyway so either one would work.
- If we use Copper DACs for SFP+ ports, we would need to get vendor specific modules on each end. We can buy these at fs.com I think? But which vendor do we choose for the Server side? Could we just use a mikrotik branded cable and the server NIC would accept that?
I would be really thankful for any advice or Feedback you could give me. The network should not be super complex as we have a high turnover rate of tenants and someone new has to maintain it like every 2-4 years. Some of this plan is probably overkill, but we have money that we do not need for anything else and as we are all students we want to use it as an opportunity to learn and get experience that might help in finding jobs in this field.
Sending SNMP traps over different VLAN's
Using "snmp-server trap-source vlan xxx" or any other applicable command ...Is it possible to send certain traps over one VLAN and other traps over another VLAN? Or can traps only go over one VLAN?
Anyone know of a Rack / cable management that has multiple vertical management paths?
If that question doesn't make sense, I hate having to worm my AOC cables through copper, and it would be great if there was a "2nd" vertical path behind the first.
I guess tecnically it would be 3 columns, instead of 2.
Ie, Front copper / new path space / back copper.
Can't connect to downstream switch although it's on and working.
Replaced a switch the other day that has a downstream switch with cameras attached.
The cameras went down and the cause was the ports were getting err disabled due to bpdu packets being detected on the ports on the new switch.
Quick work around I disabled bpduguard on the affected ports, shut/no shut and now the cameras are back up and working.
Problem is I need to get to the downstream switch and disable STP so I can enable bpduguard on the new switch again.
Can't ping the downstream switch from the new switch and it's not in the arp or Mac address tables even though the cameras that are connected to it are.
Super confused and trying to do this remotely as the downstream switch is 40 ft in the ceiling and would require a whole work order to get up there and connect via console.
LLDP, Voice VLAN, and DSCP
I've got a customer using some Netgear switches for their small network and the phones don't seem to consistently be on one VLAN or another. It looks like what it's doing is inspecting the MAC on traffic, matching against an OUI list, and pushing the traffic to the voice VLAN. The phones are totally unaware that the voice VLAN exists, and they retain the values I push from my server for marking DSCP on SIP, RTP, and SRTP, and I see the switch learning the MAC in both VLANs.
If we change the configuration such that the phone learns the VLAN from LLDP, the phones revert all the DSCP settings to 0 for each instead of 26/46/46.
I replicated this on a TPLink switch I have at home both ways. At the very least my switch works consistently, where his sometimes works the first way and sometimes the second way. I referred him to Netgear support since it's not my switch and I'm not spending a lot of time fussing with it.
I am in the office today about to fire up an Extreme 210 and Cisco 4948 switch to see if they do the same thing when having the phone learn the voice VLAN via LLDP.
Is this normal behavior? I couldn't find anything on my switch at home for informing the phone of what DSCP values to use, only how to do mappings from dot1p to DSCP. Since we daisy chain phones, it seems like untrusting the port and marking traffic on the switch wouldn't be the way to go since if I understand right, that would mark traffic from the PC too.
His actual problem on site is very intermittent one way audio, and unless the switch is failing to work one way or the other mid way through calls I'm not thinking this is his actual problem anyway. More something I've noticed and something I'm asking for help understanding, more than happy to do reading if anyone has some links or books to point me towards too. For context I'm the HPBX vendor.
What is a backup solution for Shopify?
A lot of small businesses run on Shopify, but when Shopify goes through an outage like it did a week ago what solutions are there to keep the business running while Shopify goes offline?
Small data center switches with vxlan
After some unfortunate event, the management started to realize need for backup/secondary datacenter. Because of some apps and not so smart choices we have to have L2 connectivity between servers so vxlan seems to be the right way. There is about 100 servers, some hardware some virtual and few vlans. Current networking is a bit obsolete so we are going to replace some Core/ToR switches.
What vendors would you suggest? We can have good prices for Dell OS10 S52xx and probably Aruba-CX 6xxx, maybe some others.
Server Redundancy
I am new in this field and would like to ask what are the ways I could check for the redundancies of our servers?
I tried to look for their port channels but I did not find any redundancies. is tjat the only way to establish redundancy for servers?
Lost connectivity to servers, both physical and VMs
Hi everyone
I've posted this a while back but it got taken down for low quality
My apologies for that. I've made a serious effort to do more troubleshooting and hopefully it'll be more clear to someone who's more knowledgeable how to fix this
The context is this : we have 4 physical Hosts that we used for our old ERP. They each have 1 or 2 VMs running on them for specific parts of this software.These hosts as well as their VMs are on their own VLAN. (the network is open wide VLAN-wise though, no ACL rules for accessing them from a different VLAN)
One of these hosts and its VM has no connectivity issues apart from its iDRAC web interface being inaccessible for some reason. It can be pinged, both the physical host and the VM on it.
The other 3 however, cannot be pinged from the outside (neither the physical hosts or the VMs on them). But the VMs within these 3 hosts can be pinged from within the same LAN segment, more specifically from other VMs on the same subnet. Their default gateway however, is not accessible.They also cannot ping the physical host they are running on, although those are also in the same subnet and VLAN
The default gateway for these problematic hosts can be pinged from literally any device outside
My guess is that the problem must be from the networking settings on HyperV for these VMs. The VMs that do NOT work are configured with Virtual Switch Tagging, and their physical hosts are connected up the the physical switch through trunk ports.
The one working Physical host and its working VM are configured with External Switch Tagging, and are connected the the physical switch through access ports
One more detail that may or may not be relevant is that the traffic link lights for the ethernet ports on the NON working physical hosts are flashing like crazy, as well as the link lights associated with them on the physical switch. The working host just has the solid green light for connection up and no traffic light (except of course when I'm pinging it or RDP-ing into it). This may sound like a broadcast storm or loop but I doubt thats the case since the switch just goes back to the main core switch. There is no mesh going on, but more of a star physical topology for our network.
The problem is that I inherited this whole set up from someone much more experienced than I, and he had already left before I even got here. Nothing was left explaining how/why everything is set up as it is and there is no documentation for anything IT related (except for passwords to various systems).
If you guys have no suggestions, I will attempt to connect to the non-communicating hosts directly through the console or with a separate monitor, and change the HyperV network settings to match the ones on the working host. But because I have no idea why this was done the way its done, I cant tell if this wont break something else, so I'm putting that off until I have no ideas left.
Also, since these worked until fairly recently (4 weeks ago), I dont think it should be the configuration that messes things up,as this has not been touched or fiddled with by anyone.
It also doesnt help that my colleagues only told me 3 weeks after the servers stopped working that this happened (we only use these occasionally for archival reasons, our new ERP is in the cloud), so if something that happened during then caused it I cant remember it now.
Thanks everyone and I hope this is enough info for troubleshooting.
Wednesday, June 16, 2021
One softether client suddenly can't ping anything; everyone else has no issue
I'm the only IT person at a nonprofit that has a satellite office. At the main office, we have a virtualized (Hyper-V) Server 2012 machine which is our file server. The people who need remote access to the file server use a softether VPN, with the VPN server hosted on the file server.
One of our senior admins suddenly can't access the share from work or from home. When I use her computer, it connects to the softether VPN just fine, but I can't ping anything on the network. I've tried restarting and resetting all machines, checking the clients network settings, restarting the DNS and softether services on the server, and yet nothing works.
Forum posts elsewhere haven't been super helpful because they often involve trying to set up the VPN for the first time, but that isn't the problem here. I'm afraid to fiddle with much on the server side because it's working fine for everyone else, and I don't want to screw it up. Unfortunately, I'm not terribly knowledgeable about how VPNs work, and my networking knowledge is on the rusty side. It's a relatively simple setup and things usually work, so I don't get much practice fixing them.
Any ideas (or even questions) would be much appreciated!
Open ports on my phone not sure about
When I port scan myself all ports are closed except for those in the 30k through 50k range why are these open and should I close them for security?
If so how?
Thanks.
Zhone DSLAM Troubleshooting
Hi all,
I picked up a Zhone BitStorm HP2 160 DSLAM from eBay to add to my lab but I'm having trouble getting this thing configured.
- I can ping and nmap the device on it's MGMT port, 22, 23 and 2323 are open. However, I don't have the credentials for the box (even after reset, the regular combinations aren't working).
- I believe that the device needs to be initially configured with the Console, so I attached my RJ45 -> USB console cable to the "CID" port on the DSLAM but I'm unable to get a TTY whatsoever. I've tried each Baudrate and am not getting any data back at all. I've tried different terminal emulators, computers and console cables.
- I can't find a manual online since Zhone no longer exists as a company.
Anyone have any ideas? Reddit gold to whoever has the solution...
How to get into IPv6 slowly...
I think it is time for me to slowly get into IPv6. Since you guys helped me in a very good way with my HASS questions, i thought i try it again :)
-
With IPv6 you don't need NAT and DHCP because every device has got a unique IP address. Right? But does that mean that you need to put a firewall on every device? Or do we still use one outgoing IPv6 address to go to the internet via a router?
-
if we still use a router with one outgoing address than we will also still need to use port forwarding right? And if we still use one outgoing address we would still need to do something like NAT right?
-
IPv6 is not backwards compatible so if you would only have an IPv6 connection you will not be able to open an IPv4 only website. This is part of the reason why the transition is going so so slow right?
-
When it comes to WAN IPv6 connections, what does DS-Lite, Full Dual Stack and Native IPv6 mean? What is the difference?
-
When looking at a Windows server domain dhcp server, you are able to create a DHCP for IPv6. Why is that?
-
Does (local )DNS still work still the same as it does with IPv4? At domain DNS level you don't create an A record anymore but an AAAA record right? But all the other types of records still function the same?
-
How do you easily read the an IPv6 long long address? With IPv4 you can "read" the subnet and ip range for example 192.168.100.0/24.
I hope you guys are able to point me in the right direction. Of course i tried Google, but i often came across a lot of info but not exactly what i meant.
Many thanks in advance!
Subnet mismatch causing issues - even across different networks?
I have a server on 172.23.10.14/23
The gateway is on 172.23.10.1/24
The Site (A) is summarised as 172.23/16
Site B is 172.27/16
I have a server on 172.27.10.100/24
The server on site B cannot access the server on Site A using SMB (well, it sort of can but then it dies after a few KB are transferred).
When I changed the subnet of the server to 172.23.10.14/24 the share came alive and worked immediately.
Why is this? Obviously you WANT the subnets to be correct, but I thought that as the networks are different from each other (even with the /23) that the server would use the gateway and all would work.
Are different devices even aware of the subnet of a peer device?
Unitas Global
Is anyone on here a unitas global customer? looking for an honest opinion on their service
Ideas for keeping networking equipment from overheating outdoors?
I have a site where I will soon have power and Internet connectivity, but no buildings for a few months. I would like to set up a switch/router/ipcams at the site, but I am afraid that if I just throw them in a cabinet outdoors they might overheat and be exposed to moisture (temp gets up to ~105F where I'm located in July/August). So I was wondering what would be involved in setting up an enclosure which is (a) weatherproof and (b) temperature-controlled.
Now don't laugh, but the first thing that occurred to me is a minifridge covered with a tarp (but exposed enough for the radiated heat to escape from the compressor).
It seems like this would be a common problem in industrial applications, but I suspect that existing solutions would be pricey for a guy like me who is just doing this for personal fun.
How is equipment usually protected in the field where moisture and temperature are a concern?
Edit:
This is my router: https://www.ui.com/edgemax/edgerouter-12/
And this is my switch: https://www.tp-link.com/us/business-networking/easy-smart-switch/tl-sg116e/
(The ipcams are designed to be outdoor, so I'm not worried about them)
Static Route updates
I'm still pretty green, but I had a question about updating static routes. I haven't been able to find the documentation that supports it but I've read that a dead route won't show up in the routing table. I've tested this in packet tracer and I can see both live and dead route destinations in the routing table. My question pertains to updating an existing static route which is currently advertised.
We're changing the destination IP and of some of our current static routes. The old IP and new IP will never be active at the same time because we will be using the same interface, just changing the IP. If I leave my current static route and add another static route to a different IP (that doesn't exist yet) will it cause any problems with the current routing until we switch? Is there a better way to do this to reduce downtime for the static routes involved? We're not talking a lot, only 7 static routes total, but the less time down the better for me.
I already plan to go in and clean up the old routes after our changes are made.
VPN
How do I keep all my internet traffic going through the remote server when connecting to a VPN (OpenVPN)? When I am connected as a client to a remote site and I go to a website, that traffic is somehow being routed through that remote site’s internet connection and not my own. This is evidenced by the super slow download speeds and Google maps will show that I’m at the location of the remote site and not my physical location as it normally does when only connected to my local connection. I want to be able to see all the devices on the remote network, but still be able to take advantage of a direct connection to the internet as well.
Datacenter Core Switch Recommendations
I know there has been a ton of core switch recommendation posts and I been through a bunch of them and from my understanding, it is mostly trying to determine setup and required buffer size. One thing I am trying to better understand, what is the best way to determine how much buffer I would need in my core switch.
NXOS Redistribute OSPF Type-2 routes to eBGP
Ok, I'm dumb... how do i get OSPF type-2 routes to redistribute to an ebgp peer on NXOS?
Ubiquiti: Routing in Wonderland…
TLDR Version:
What in the world is Ubiquiti doing?! Why are we empowering a company that gives a giant middle finger to accepted networking and security standards (not to mention their customers)?
Central Point Here: Why does Ubiquiti listen to every gateway IP (of every network including WAN) as a VIP on every defined network?
Putting aside that this flies in the face of a handful of accepted networking standards and practices, this has the potential of causing several routing and security problems within the environment. Why on earth would we do this?
Most critically, why does deploying firewall rules restricting cross-network communication not stop this behavior? I can tell you why… They define each IP as a VIP on each interface… WTF?!
Full Form:
I have been spending the last week “working” with UI Support to try to untangle a mess around Port Forwarding / Firewall Rules and Routing that has left my head spinning. We have our network built upon the Unify Dream Machine (UDM) Pro along with several other pieces Ubiquiti hardware including Switches and Access Points. While there are several things I initially appreciate about the Unify Platform (unsolicited Letterkenny reference…), unfortunately, this deployment has never worked as expected since day one.
Of all the other issues (or frustrations) this latest issue has got me pounding my head against my desk screaming “Why!....” to the networking gods in the heavens. As it turns out, simple networking concepts such as Port Forwarding are never as straight forward as they seem once you enter the Twilight – I mean Ubiquiti Zone… As it turns out, Unify takes a rather drastic routing shortcut that has the potential to mess with how the network fundamentally operates: Allowing the gateway to listen on every assigned IP address as a VIP on every defined network regardless of the network / vlan that IP address is associated with on the gateway (even WAN).
What does this mean? In simple terms assuming you have two defined networks on Unifi (192.168.1.0/24 and 192.168.2.0/24), the Unifi gateways (USG or UDM / UDM Pro) will listen for traffic destined to EITHER x.x.1.1 OR x.x.2.1 on both networks – this occurs even when firewall rules are defined specifically to deny inter-network traffic. This is to say that while a host at 192.168.1.100 (Alice) cannot speak to host 192.168.2.100 (Bob), Alice CAN speak to 192.168.2.1 and conversely Bob can also speak to 192.168.1.1 – all of this happening even in environments where networks 192.168.1.0/24 and 192.168.2.0/24 are not able to communicate and should not know of the existence of each other. Okay, so this may not be a total nightmare… unless:
- You have very large and complex networks with complex routing requirements.
- You have non-Unifi networks defined (sub-networks) lower in the stack that leverage the same IP space as another network in the Unifi platform that by all intents and purposes should not be routable from the network you are operating on… (not a very clean or expected setup, but I have seen this happen on occasion).
- MOST CRITICALLY: When you take into account that this same routing shortcut applies to traffic destine for the gateway’s WAN IP address. Yes, that is right, sending traffic to 12.23.34.45 (WAN IP) from Alice (192.168.1.100) goes through exactly one hop as the Unifi system is designed to listen on every port (every network) for traffic to ANY of its IP Address (regardless of the network that IP address is attached to). It is simply mind boggling that this traffic is not first routing out and then back in.
In the environment in which I am having so many issues, we have the need to make available critical services that exist on the 192.168.3.0/24 network. These services are behind UDP 10520 through 10530 (and yes, the ISP is allowing this traffic) – call this the “Happy” service. Because of the nature of these services and the availability requirements, the Happy services must be accessible at the company’s FQDN (company.com) which, of course, ties back to 12.23.34.45 as the company’s static IP. Port Forwarding rules have been created and enabled to allow such traffic through; however, it is critical to understand that these Port Forwarding rules only apply to the WAN interfaces (WAN / WAN2). This then creates an environment in which, for devices internal to the network, they are not able to route to the Happy service on company.com / 12.23.34.45 as all interfaces (even LAN) are listening on this (WAN) IP address. As the traffic is incoming to 12.23.34.45 on the LAN interface, the Port Forwarding rules are never applied and therefore the traffic cannot route.
Now some may be asking, and somewhat rightfully so, why not just setup the internal (on-network) devices to use the private IP addresses of the Happy service. This could be a great work around, except, these services must be accessible seamlessly to the user as they move between being on or off the corporate network. This is not to even mention the argument that this is not how routing is supposed to work.
This is not the only instance in which I ran into a particular function or feature within Unifi that didn’t appear to work properly just to find out that Ubiquiti “doesn’t do things that way…” Since the early days of deploying this equipment it became clear to me how Ubiquiti seems to take a dump on accepted networking standards and employ dangerous shortcuts in routing, firewalling, security, and network management. My message to Ubiquiti: let’s grow up, stop taking shortcuts, and actually provide the features and functionality you promise in a manner that aligns with accepted networking standards – please, just have a sit down with the folks over at IEEE.
This would all be far less concerning and aggravating if Ubiquiti support ever really gave a damn and treated their customers with the respect they deserve. Every support experience I have had with Ubiquiti has either ended in “oh, well with how Unify works you can’t do that” or being belittled and talked down to as if I know absolutely nothing about even the simple functions of breathing. This would be like calling up Nike and explaining that my shoes are missing their laces and then being taken through a frustrating three-hour process where they try to explain how to tie my shoes (“is the computer plugged in sir?”). This is not the problem!
To be fair, in a recent conversation with a Manager in their support department, they acknowledged they have several support issues that they are trying to work through, but have never really addressed them. Great, we have reached the acceptance stage, but now is the time to FIX the problem.
Note: Today I work for a large cyberspace security vendor… we too have our support issues. But nothing any of my customers have ever reported (which is some very head scratching and aggravating shit), even comes close to the average support call I have with Ubiquiti.
Let’s be clear… I am not here to simply rail on Ubiquiti and the Unifi platform – well, in some way I am (writing this has actually been very therapeutic). I am here to spread the awareness of these issues so others working with the Unifi platform don’t fall into some of the same pits of despair I have. Believe me, I would much rather be an advocate for Ubiquiti – I mean what are the reasonable alternatives these days (providing similar functionality): Cisco Meraki, which is outlandishly expensive in hardware, support, and licensing costs. I am also hear to see if we can start to build a ground swell of support to pressure Ubiquiti into fixing some of these issues and to stop taking such shortcuts.
To frame this discussion (and responses) quickly, I have been in Networking and Cyberspace Security since 2001 (longer than Ubiquiti has been in existence). I have experience architecting and deploying networks of varying complexities and sensitivities from standard corporate networks to highly secure and even air-gapped networks. I have extensive experience working directly with a large range of networking and network security vendors and their products, including: Cisco (including Meraki & Linksys), Juniper, Extreme, Check Point, Fortinet, Palo Alto, NetGear, Dell, HPE (including Aruba & 3Com), and even TACLANE. I also have experience with Cisco ACI, VMware NSX, and with networking in all the major cloud vendors. I say all this in attempts to weed out knee jerk responses of “You don’t know what I’m talking about” – though, I am certain those will inevitably come.
I am curious to hear what insights other people here may have along with any other “oddities” where things don’t work as they otherwise should in the world of Ubiquiti.
Server & Network Rack Ideas?
We are going to installing a new server and networking closet in a small 10ftx10ft room. I'm never gotten the opportunity to do this (from scratch) and order the hardware for it before. I'm mostly taking over a lot of projects because of past "incompetence."
We going to have a mix of Fiber(144pair & Patch) and copper going into these racks. There will also be a combo of DC and AC Power needed as well. Can you show me some solutions to manage all of these "sources" that keeps it looking neat and clean? I'm not loyal to any brand or vendor either. Looking at two 42u, 4 post racks. I would like them to be enclosed as well.
Interested in FTTH Network design
Hello everyone, Where can I learn about FTTH network design with software like Autocad and Qgis. I can use both confidently. But I need real examples about designing and modifying the FTTH network for the last mile. Are there any books, tutorials I can find for this topic? I need your help please and thank you very much in advance looking forward to hearing back from you.
Can a router connect to a VPN on laptop
Forgive me if this is a stupid question
Now my laptop connects to the office network via VPN , and gets assigned an IP , so is it possible for my router to connect to the VPN via my laptop through an ethernet connection
So that the VPN would assign an IP to my router as well
I'm using a VPN called pulse secure , and I have full access to my router , as in can directly change the config to add something like a firewall rule
Universal switch/ap config tool
Hey guys I was just wondering if you know of any tool that can manage and change the config of all my managed switches in our network. The problem is that the office network has so much switches and access points that are different brands and I don't really want to go through each of their ipaddress just to change the vlan ID for each port.
Delay to reach website although it is permitted from ACL to VLANs with no internet access
0
I have a network with HP10512 Core switch, which is the gateway for Internet. I have added ACL to permit some VLANs to Internet and deny others.
We have some websites that should be reachable for all VLANs, so I added its IP address to the ACL to permitted as destination. When I open the website from VLAN with Internet access, it opens without problems, but when I open it from VLAN with no Internet access, it opens after too long time (about 5min) which is not acceptable.
I tried to add the website (https://lns-sso.lww.com/) to the local DNS server in
Forward LookUp Zones like this
but no change.
could anyone tell me what the reason for this delay??or what can I do to let website reachable for all VLANs without any problems??
Default Gateway Issue in unicast environment
Hello everyone,
Currently our project is on hold due to the gateway issue on all CCTV cameras.Below is the description of the existing setup,project goal and challenges :
Design image link : Network Design
Scope of work :
- FW01 monitoring and management - Integrator-X
- Client network management - Integrator-Y
- New deployment-our company
Goal of the project :
- All CCTVs will be monitored and videos will be saved on VMS0002 server.
- All CCTVs should be accessible from Security monitoring center and new VMS0002
Existing Setup :
- All 1400 CCTV gateway is FW01 IP 10.128.1.1
- All CCTVs,Server and firewall are in same vlan 100
- Cameras are monitored from Security monitoring center.
Current Requirement :
- CCTV to VMS0002 and vice-versa reachability.
Issue :
- Cannot ping CCTV from FW02 and VMS0002.
- Cannot change the gateway on CCTVs.
-
FW01 integrator will not change their IP.
NOTE : All camera streams are unicast.
We have same deployment in 150+ sites and wherever we faced this type of issue, FW01 and Core SW IP were interchanged and static IP was configured on core switch to reach both subnet. Now we have 3 sites network designed and managed by Integrator-Y. The issue in these site is that FW01 integrator will not change their IP(no reason given).I've to come up with the solution so that all CCTVs and VMS0002 can communicate with each other.
Need all the possible solution for this case in two scenarios :
Scenario-1.Without any changes in CCTVs and FW01(We can change configuration in Core Switch and FW02 only)
Scenario-2.With changes in CCTVs and FW01
Tuesday, June 15, 2021
Physically migrating Internet BGP router for a client
Hi folks,
As stated in the title, I'm in the process of migrating an Internet BGP router for a client, going from a ISR3945 to a ISR4461. This router connects to one ISP, and another interface connect to internal segment (iBGP router, as well as downstream firewall pair which runs static routes)
Customer's current router does not have any optimisation to timer, so 60/180 without BFD. It does have a backup router which connect to another ISP.
Me and my colleagues try setting up a lab to see which migration method would incur the least downtime without changing current configuration (since 24/7 service). We found out by QUICKLY migrating the physical links to the correct ports on the new router, the BGP session on the simulated ISP router would not be teared down, and only 3-4 packets dropped (9-12s). The new router would establish the BGP session and learned new routes.
Since the config is not changed, the rollback process would occur just in reverse order.
Is this a valid migration method in real world, considering the router is learning like 10K-ish routes from the directly connected ISP alone (default + ISP customer routes)? Of course this would happen during scheduled MW, but we would like to minimise downtime as much as possible.
DWDM +MetroE questions
Hi All
I have a DWDM (Huawei) network which is then connected to a layer 2 metro ethernet system(Juniper). While doing an RFC2544 test, I noticed that the lower MTU will have frame loss if I pump 100% traffic while jumbo packets have a lesser frame loss. May I know if anyone here have these answers? I need to tone down the traffic setting for it not to have frame loss but this will results in lower throughput on the small MTU.
HCIE - CCIE - JNCIE?
Lately, I have seen some people getting the Huawei Certified ICT Expert (HCIE) certification. Is this cert as relevant as CCIE (Cisco) or JNCIE (Juniper) in the IT market?. Let me know what do you think.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Switched Comcast router and now sporadic internet issues with specific sites - HELP!
OK Reddit networking guru's I've had a day, and need some help!
We have a small (16 person) organization that I am the IT person for. We've been using Comcast for years and just renewed our contract which ended up being cheaper (saved $20/mo) if we upgraded our service to their new Business Security Edge product with a Cradlepoint LTE backup solution that it will fail over to if Comcast goes down.
So Comcast installer comes on site to do install, gets everything installed, "ports over" (or whatever you call it) our static IP address we pay for and the associated settings from old router to new, we test network connectivity, speeds, ensure VPN still works from a hotspot connection as well as from a few remote workers and we are good to go. They go on their way and I start working on my other tasks for the day.
About an hour later I start getting reports from the handful of people working back in the office that they are having strange connectivity issues where they can't reach certain sites.
Super long story / troubleshooting short, here is where we stand:
- When connected to our office network, I can reach most of the internet no issue. However, there are specific sites (such as msn.com, cnn.com, microsoft.com, and our organizations website (which is hosted elsewhere/offsite) that I cannot reach via Chrome, Edge, but can reach via FireFox.
- Of the handful of users in the office my laptop and one other test machine I pulled out can replicate successfully being able to connect to our organizations website via FireFox, but again no other browsers.
- All other staff in the office cannot reach any of those sites, regardless of what browser they are using.
- We have verified that if you are on a hotspot, outside the office etc all sites/browsers work fine.
- If you are outside the office but connected to VPN issues arise again (which of course makes sense).
- I started a Tier 1 ticket with Comcast and they couldn't figure anything out, escalated to Tier 2 but won't be able to get back to me until tomorrow.
So what in the world is going on here? In my mind it HAS to be related to some setting on their new router right? We made zero changes to our firewall, which worked fine with the old Comcast router. The ONLY thing I discovered when I first started trying to troubleshoot this on my own, was that the new router was configured to hand out DHCP, which I ultimately disabled, and rebooted the router, and the firewall, no change in issue.
Our configuration for what its worth is:
Comcast modem with static external IP address > single ethernet to SonicWall NSA2600 Firewall that is configured to hand out DHCP for our two subnets (one a BYOD, the other our VOIP phones) > network switches > physical server with three NIC's set to static IP's.
The server is running Win Server 2012 R2 (side note we'll be upgrading to Azure hopefully next year) and it is handling DHCP for our internal network devices (laptops, photocopiers, printers etc).
Thanks in advance for any insight, pointers, etc. I hope to hear back from Comcast tomorrow and keep working on this, but it bugging me not being able to figure this out, and it seems so weird and sporadic. I certainly am not a networking expert, frankly know enough to get in trouble haha.
UPS for small Business
For those of you managing a small business, what type of UPS are you using? We currently have a CyberPower EC850LCD but are looking to upgrade. I'm looking at CyberPower PR1500LCDN but my manager isn't happy with the price. He has found some cheaper UPS' on Amazon that use simulated sine waves. I don't really know the difference between simulated/non-simulated sine waves so I'm not sure what is appropriate for our small/medium sized office.
C9300X Stencils?
I've got the latest Catalyst stencils off Cisco's website and it doesn't include the C9300X series. Does anyone happen to have a link to these stencils and their modules?
Comcast Enterprise sending me 300+Mbps of SIP traffic?
Interesting scenario here; I have two DIA circuits. One from Lumen, another from Comcast. Comcast is sending me 300+Mbps worth of SIP traffic that is destined for other Comcast IPs. These DIAs do not have any BGP on them. My rules were permitting the traffic(We were just forwarding it back out the Comcast or Lumen based on load balancing rules), but as soon as I threw a policy in to drop it, they stopped sending me traffic. If I allow it again, takes about 30 minutes and then the SIP traffic starts up again and slowly increases in 15Mbps chunks. This is a new install from Comcast(Activated last week). No devices are behind these firewalls yet.
Here are some of the destinations for the SIP traffic
//redacted//
They're all in that //redacted// block....
Anyone here with Comcast enterprise support? Support so far has been worthless.
Image of the bandwidth graph on that circuit: https://i.imgur.com/gXw4ElG.png
EDIT: Got it sorted out. This circuit has a statically routed /27 that was added but never conveyed to me. All of those IPs are part of that /27. So my firewall was 'passing it along' and creating a giant loop which is why the traffic steadily increased overtime.
Interesting! Learn something new everyday.
Suppress connected routes with BFD?
I'm looking to speed up our network's BGP convergence time in the event of an ISP failure.
Our topology is pretty simple: 2 border routers with 1 ISP circuit on each and basic IBGP between them. The issue is that both ISP circuits are delivered via on-site metro-E switches from the carriers, so unless those switches themselves crash, the physical ISP interfaces remain up.
We're using BFD for fast failure detection, which helps. The problem is that the routers (ASR1001-X with 8G RAM) still take time to withdraw a full BGP table from the RIB and from IBGP. During this time, all prefixes that were routing through the failed ISP are unreachable until their turn to get withdrawn comes along. This is causing dropped VoIP calls, VPN session timeouts, etc. if the prefixes to those services take a while to be withdrawn.
I want to use BGP best-external so both routers will have all backup paths "pre-loaded" for the failover, but the problem is that those damned physical interfaces remain up. Since the next-hop IP of the failed prefixes remains UP in the RIB, it remains reachable in OSPF, thus the backup router does not use its own paths until the failed primary router manages to withdraw all failed prefixes.
Is there a way to make BFD suppress the peering IP from OSPF (or better, from its own RIB) so that they will both immediately start using the other ISP while IBGP withdraws everything?
I'm playing around in GNS3 and I can make this work with EBGP multihop + multihop BFD
+ Static Route BFD doing fault detection on the EBGP peer loopback IP. That seems excessively complicated, and our ISPs may not even support such a configuration. Is there a way to get BFD to suppress the /30 connected route?
NAT network inside IPSec Site-Site
I am trying to troubleshoot my IPSec Many to One NAT Tunnel I have setup.
I am able to ping across it and browse to the http page of a server however as soon as I try to browse to http://10.21.8.54/subsite I get "Connection Reset" and seeing missing packets in Wireshark.
I am wondering if this is a routing issue or DNS because I have 2 firewalls. Unfortunately, I had to have Firewall 1 running the IPSec tunnel then behind it put Firewall 2. On Firewall 2 I have WAN rules to allow in all traffic from the LAN IP of this 10.21.8.54. I have run powershell connection tests to 10.21.8.54 on port 80 and everything passes I do not know how I can connection test 10.21.8.54/subsite though.
Any advice appreciated I can post some packet captures from Firewall 1 and 2 eth1 interfaces if it would help:
firewall 1: 17:36:57.649522 IP 192.168.1.38.58674 > 10.21.8.54.80: Flags [P.], seq 1:328, ack 1, win 1025, length 327: HTTP: GET /pss/resourcesIndex.txt.jsp?clientOsName=Windows%2010&clientIs64=true&clientJarType=PS%20Client.jar&clientJVMIs64=true&clientDefaultJVMVersion=1.8.0_282&remoteHostMachineName=HC1 HTTP/1.1 17:36:57.740355 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], ack 328, win 512, length 0 17:36:57.773959 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 1:1383, ack 328, win 512, length 1382: HTTP: HTTP/1.1 200 17:36:57.773984 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 1383:2765, ack 328, win 512, length 1382: HTTP 17:36:57.774087 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 2765:4147, ack 328, win 512, length 1382: HTTP 17:36:57.774252 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 4147:5529, ack 328, win 512, length 1382: HTTP 17:36:58.072966 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 1:1383, ack 328, win 512, length 1382: HTTP: HTTP/1.1 200 17:36:58.691589 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 1:1383, ack 328, win 512, length 1382: HTTP: HTTP/1.1 200 17:36:59.887819 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 1:1383, ack 328, win 512, length 1382: HTTP: HTTP/1.1 200 17:37:02.294050 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 1:1383, ack 328, win 512, length 1382: HTTP: HTTP/1.1 200 17:37:07.110614 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [.], seq 1:1383, ack 328, win 512, length 1382: HTTP: HTTP/1.1 200 17:37:16.712159 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [R.], seq 1383, ack 328, win 0, length 0 17:37:16.713221 IP 192.168.1.38.58674 > 10.21.8.54.80: Flags [.], ack 1, win 1025, length 0 17:37:16.738666 IP 10.21.8.54.80 > 192.168.1.38.58674: Flags [R], seq 560975640, win 0, length 0
firewall 2: 14:36:57.645196 IP 192.168.120.16.58674 > 10.21.8.54.80: Flags [P.], seq 1:328, ack 1, win 1025, length 327: HTTP: GET /pss/resourcesIndex.txt.jsp?clientOsName=Windows%2010&clientIs64=true&clientJarType=PS%20Client.jar&clientJVMIs64=true&clientDefaultJVMVersion=1.8.0_282&remoteHostMachineName=HC1 HTTP/1.1 14:36:57.743479 IP 10.21.8.54.80 > 192.168.120.16.58674: Flags [.], ack 328, win 512, length 0 14:37:16.715280 IP 10.21.8.54.80 > 192.168.120.16.58674: Flags [R.], seq 1383, ack 328, win 0, length 0 14:37:16.715821 IP 192.168.120.16.58674 > 10.21.8.54.80: Flags [.], ack 1, win 1025, length 0 14:37:16.741756 IP 10.21.8.54.80 > 192.168.120.16.58674: Flags [R], seq 560975640, win 0, length 0
Dual Default Gateway in Ring Topology using EIGRP
So I'm working on my lab, I set myself a challenge to set up a ring topology with a default gateway on both ends of the ring. My goal is to be able to use any of the PCs to ping out to the internet and still have connection in case one gateway goes down. The PCs are able to ping out, and if I disconnect a link between SW1 or SW4 and R1 or R2 the computer goes to the 2nd uplink, it keeps pinging out to the internet. BUT if I disconnect the link between the cloud and the router (which simulates an ISP going down) the PC looses connection and it doesn't go to the back up router.
Is there a configuration to mitigate this?
Image for a better understanding https://imgur.com/a/TIveVNd
Any good (or any) VLAN sim software out there?
So I've been working in small lans, like 20/30 devices max.
I've also been working with pfsense for like 2 years now.
Now I'm looking into a more complex network and I think vlans would be the way to go.
A public one, a admin one, a security / iot one, etc
So I've seen some vids, about setting the Interfaces on pfsense, setting on a couple switches, it's not super complex, but I would love to do some testing before deployment.
Is there a tool where you can make the diagram and such and test it?
Or am I dreaming too much?
Share local IP online
Hello. I have a question for all you experts here. I have a pc connected to a local network via network hub. I can access the surveilance cameras via IP(username and pass). I have no acceess to router settings.
Is it possible for me to share this IP online somehow so i can acceess it from anywhere?
Help with EEM script
Trying to deploy my first EEM script and having issues with getting it to run.
Trying to shut down the Synology2 server and then enable the Synology1 server an hour later. Then later in the week, shut the Synology1 server and enable the Synology2 server.
Can anyone help with what I'm missing. This doesn't appear to be running.
event manager applet shutdown_synology2 event timer cron cron-entry "00 16 * * 0-2," name shutdown_synology2 action 010 cli command "enable" action 020 cli command "config t" action 030 cli command "interface te1/0/26" action 040 cli command "shut" action 050 cli command "end" action 060 syslog msg "Interface Ten1/0/26 has been shutdown" action 070 cli command "enable" action 080 cli command "config t" action 090 cli command "interface te2/0/26" action 100 cli command "shut" action 110 cli command "end" action 120 syslog msg "Interface Ten2/0/26 has been shutdown" event manager applet enable_synology1 event timer cron cron-entry "00 17 * * 0-2," name enable_synology1 action 010 cli command "enable" action 020 cli command "config t" action 030 cli command "interface Te1/0/33" action 040 cli command "no shut" action 050 cli command "end" action 060 syslog msg "Interface Ten1/0/33 has been restored" action 070 cli command "enable" action 080 cli command "config t" action 090 cli command "interface Te2/0/33" action 100 cli command "no shut" action 110 cli command "end" action 120 syslog msg "Interface Ten2/0/33 has been restored" event manager applet shutdown_synology1 event timer cron cron-entry "00 16 * * 3-6" name shutdown_synology1 action 010 cli command "enable" action 020 cli command "config t" action 030 cli command "interface Te1/0/33" action 040 cli command "shut" action 050 cli command "end" action 060 syslog msg "Interface Ten1/0/33 has been shutdown" action 070 cli command "enable" action 080 cli command "config t" action 090 cli command "interface Te2/0/33" action 100 cli command "shut" action 110 cli command "end" action 120 syslog msg "Interface Ten2/0/33 has been shutdown" event manager applet enable_synology2 event timer cron cron-entry "00 17 * * 3-6" name enable_synology2 action 010 cli command "enable" action 020 cli command "config t" action 030 cli command "interface te1/0/26" action 040 cli command "no shut" action 050 cli command "end" action 060 syslog msg "Interface Ten1/0/26 has been restored" action 070 cli command "enable" action 080 cli command "config t" action 090 cli command "interface te2/0/26" action 100 cli command "no shut" action 110 cli command "end" action 120 syslog msg "Interface Ten2/0/26 has been restored" Server Link lights flashing, cant ping
Hi everyone
Recently our SAP on-prem server (we dont use it anymore, we moved to the cloud but still have the old on prem hardware that we keep for archives/audit purposes) stopped working.
There are 4 physical hosts each with their own VMs running. One of the physical hosts, as well as its VM can be pinged and has general connectivity, including internet access. On this one the ethernet link lights (there are 4 ports on each machine) are not flashing,there is only the solid green light telling its up and running
The other 3 that cannot be communicated with have the status light normal solid, but the traffic lights flashing like crazy. These (the physical machines as well as their running VMs) are not able to ping their own gateway - destination host unreachable error. The one working physical host/VM mentioned above is on this same VLAN with the same gateway and can ping it successfully.
The switch they are connected to is also lit up like a Christmas tree.
I dont think it is a broadcast storm issue as STP is enabled but not needed anyway as our switches are not inter connected, just go back to the main core switch.
Also, for all of these servers (Dells) the iDRAC management web interface works fine. Tried rebooting all of them using that, and the diagnostic says the systems are healthy.
Anyone have any idea what could be the issue here? I'm pretty certain its a networking issue but not sure what exactly
Thanks everyone!
Neighborhood aggregation "huts"
I have always wanted to see what one of these look like and what's inside them. I know there are muxes and stuff like that, but for those of you who may work in physical plant or provisioning, what does it look like?
Thinking more about on the "enterprise" (fiber) side vs local cable co. Is it just like a mini datacenter with a few racks, a ton of fiber landing from the street, and some muxes? Maybe a router or two?
The local Verizon guys I deal with for installs say they can't tell me or show me, bummer.
Subscribe to:
Posts (Atom)